May 2024: whatsrc.org distro status

kpcyrd kpcyrd at archlinux.org
Wed May 29 16:38:06 UTC 2024 

Dear list,

As of May 2024, I have imported source code data from the following 
distributions:

- Alpine Linux edge
- Arch Linux
- Debian sid, stable, stable-updates, stable-backports, stable-security
- Fedora rawhide
- Gentoo
- Guix
- Homebrew
- Kali Linux Rolling
- openSUSE Tumbleweed
- Ubuntu 24.04 (jammy, jammy-updates, jammy-security, jammy-backports)
- Void Linux
- WolfiOS

In total, at the time of writing, I've collected and indexed 224,790 
unique source code archives, and 33,193 dependency lockfiles 
(Cargo.lock, go.sum, package-lock.json, ...).

Think of this as "myspace for source code", you can check which 
operating systems a specific tar-file is friends with.

Or, put differently, each operating system gets a vote what they 
consider the source code for a given software release.

This approach works surprisingly well, for example there seems to be 
consensus about this being the source code for zsh 5.9:

https://whatsrc.org/artifact/sha256:9b8d1ecedd5b5e81fbf1918e876752a7dd948e05c1a0dba10ab863842d45acd5

In this case specifically it does not align with the contents of the zsh 
git repository (as-in "there's an unaccounted gap between the VCS and 
the reproducible builds project"). Since ultimately we should be more 
concerned with "what's the source code we be putting into our computers" 
I think it's obvious which one of those two one needs to review, if 
they'd want to code review.

There's also a diff feature, for example for the curl 8.8.0 git commit 
and tarball content you can inspect the differences here:

https://whatsrc.org/diff-right-trimmed/git:fd567d4f06857f4fc8e2f64ea727b1318f76ad33/sha256:589716016c1416cf70dc490b934626fc1524ea7b53ab4c0ca740a446262f04ba

Note this won't work for every git commit, only if the commit is 
referenced by one of the operating systems that can directly import from 
git (Arch Linux, Homebrew, WolfiOS).

In this case the reference is from Arch Linux (who's voting for an 
un-preprocessed git snapshot to be "the curl 8.8.0 source code release"):

https://whatsrc.org/artifact/git:fd567d4f06857f4fc8e2f64ea727b1318f76ad33

What's currently missing:

- NixOS package data: https://github.com/kpcyrd/what-the-src/issues/12
   - I'd really appreciate something like 
https://guix.gnu.org/packages.json for NixOS
- For Guix, only outputHashMode=flat is supported

Future plans:

- Currently none, I keep importing new releases but I'm also looking 
forward to Summer 2024

cheers,
kpcyrd

More information about the rb-general mailing list